WireGuard: Next Generation Kernel Network Tunnel
WireGuard is replacing IPsec and OpenVPN for most new VPN deployments. Its simplicity (~4,000 lines of kernel code vs 400,000+ for OpenVPN/IPsec) makes it auditable. Used by Tailscale, Mullvad, Mozilla VPN, and most modern VPN services.
What It Defines
Modern VPN protocol designed for simplicity and performance. Uses a fixed cryptographic suite: Noise_IKpsk2 handshake framework, Curve25519 for ECDH, ChaCha20-Poly1305 for symmetric encryption, BLAKE2s for hashing, SipHash24 for hashtable keys, and HKDF for key derivation. No cipher negotiation — one fixed construction. Operates as a Layer 3 tunnel via a virtual network interface (e.g., wg0). Each peer has a static Curve25519 key pair; configuration is a simple list of peers with their public keys and allowed IP ranges. The 1-RTT handshake establishes a session in ~1 ms. Built into the Linux kernel since 5.6 (2020), with userspace implementations for all major platforms.
Canonical (Normative)
Convenient (Practical)
Related References
The primary standards body for internet protocols. Produces RFCs through working groups. Use IETF Datatracker for active drafts, working group status, and revision history.
Related Specs
IPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.
IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.
Every HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.